OpenSSH – Configuring both Server and Client

ssh-icon

Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and a client (running SSH server and SSH client programs, respectively).

At the Server

Have a seat and login to the server machine to your account. If this is the root account it’s ok for now but if it’s not I suggest to type these commands:

sudo su
passwd

and set a password in order to be able to login as root from now on. If you did so simply logout (Ctrl-D) and login as root by typing su -

Next we’ll need to create a new user that I suggest to have a strange name. In these article I’ll use the name saint for username. To do so type these commands:

useradd -d /home/saint -m -U -s /bin/bash saint
passwd saint

and set a password for this user. Notice that this user doesn’t belong to sudoers so he can’t execute commands that require root account privileges simply by typing his password but if he wants to do so he must know the root’s password and become root by typing su -


The next step is to install the OpenSSH server with the command:

apt-get install --yes --no-install-recommends openssh-server

Make a backup of the server’s sshd_config file and make it read-only with these commands:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
chmod a-w /etc/ssh/sshd_config.orig

Then use your favorite editor to edit the sshd_config file e.g. vi /etc/ssh/sshd_config and make the following suggested changes to it.

Change OpenSSH default port

For security reasons you should change the OpenSSH default port 22. To do so locate the following line in the sshd_config file

Port 22

and change it to something like e.g. 48250

Port 48250

Bind OpenSSH only to your internal interface

Locate the following line in the sshd_config file

#ListenAddress 0.0.0.0

and change it to your server’s internal IP address e.g. 172.16.3.10

ListenAddress 172.16.3.10

Disable root login via SSH

Again, for security reasons disallow the root account from login via SSH. To do that locate the following line in the sshd_config file

PermitRootLogin yes

and change it to

PermitRootLogin no

Additionally you can add the following line in order to allow only the user saint that we created previously to use the system via SSH.

AllowUsers saint

At this point you can save the sshd_config file and check your configuration with the following commands:

restart ssh
netstat -tulapn | grep sshd

At the Client

Now change seat and go to the client machine that must be located in your internal network as your ssh server. Login as a normal user and install the OpenSSH client by typing:

sudo apt-get install --yes --no-install-recommends openssh-client

or use the su - command to install it as root. After this done―if you login as root logout (Ctrl-D) and login as normal user―we’ll need to do the followings:

Create Private/Public Keys to use the private/public key authentication scheme

The first step involves creating a set of RSA keys for use for authentication. (At this point you can check the use of apg command. I’ll suggest this apg -m 8 -x 12 -l -M SNCL) Now create the keys by typing this command:

ssh-keygen -t rsa -b 4096 -C "$(whoami)@$(hostname)-$(date -I)"

Take the suggested options and choose a strong passphrase.
After this you’ll get a .ssh directory with the proper permissions containing your private id_rsa and public id_rsa.pub keys having the proper permissions.
Next thing to do is to add the private key identitie to the authentication agent and for that you’ll need to type:

ssh-add ~/.ssh/id_rsa

type the passphrace and check if it’s loaded with:

ssh-add -l

Now your public key id_rsa.pub must be transfered to the ssh server saint account. To do this type the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 48250 saint@172.16.3.10"

Be careful at this point if you get any command usage error try to leave out the double quotes.
Type whole the word yes at the prompt and then type user’s saint password. You’d be informed that this IP was added to the list of known_hosts. That’s ok!

Remote login to the SSH server

Now it’s time to connect to the SSH server from our client. Type this:

ssh -p 48250 saint@172.16.3.10

and type user’s saint password again.

Great… now you should be at the SSH server as saint. Go on type su - to become root for some additional changes.

Some final security brush-strokes

The first thing we should do next is to close the ssh-copy-id door. For that use your favorite editor to edit the sshd_config file e.g. vi /etc/ssh/sshd_config and change the line:

#PasswordAuthentication yes

to

PasswordAuthentication no

Deny tunneling/forwarding

Change the line:

X11Forwarding yes

to

X11Forwarding no

and add these lines next to it

AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no

Alter the PrintMotd no to PrintMotd yes and finally at the end of the sshd_config file change the line:

UsePAM yes

to

UsePAM no

and add this line:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

We’re done for now. Save the file and restart the ssh service by typing:

restart ssh

Keep in mind you’d need the passphrase to remote login so keep it quick and safe.


ADDENDUM:
Client’s ssh config file

Secure FTP (sftp)

CONCLUSION:

TO-DO:

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s